Project 2: Firewall Design (Phase I)



Similar documents
Project 2: Penetration Testing (Phase II)

Lab Objectives & Turn In

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewall implementation and testing

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

CS Computer and Network Security: Firewalls

CS Computer and Network Security: Firewalls

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls. Pehr Söderman KTH-CSC

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Host Fingerprinting and Firewalking With hping

How to protect your home/office network?

Network Traffic Analysis

Linux: 20 Iptables Examples For New SysAdmins

CSC574 - Computer and Network Security Module: Firewalls

Case Study 2 SPR500 Fall 2009

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Chapter 7. Firewalls

Network Security CS 192

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

LAB THREE STATIC ROUTING

Linux Networking: IP Packet Filter Firewalling

+ iptables. packet filtering && firewall

Linux MDS Firewall Supplement

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

How to Secure RHEL 6.2 Part 2

Host Discovery with nmap

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Protecting and controlling Virtual LANs by Linux router-firewall

Linux Firewalls (Ubuntu IPTables) II

FIREWALL AND NAT Lecture 7a

Overview. Firewall Security. Perimeter Security Devices. Routers

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Linux MPS Firewall Supplement

Packet filtering with Linux

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

EE984 Laboratory Experiment 2: Protocol Analysis

Linux Routers and Community Networks

CIT 480: Securing Computer Systems. Firewalls

Guideline for setting up a functional VPN

A S B

Assignment 3 Firewalls

Information Security Training. Assignment 1 Networking

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Chien-Chung Shen

allow all such packets? While outgoing communications request information from a

Firewalls. Chapter 3

Client Server Registration Protocol

CSE543 - Computer and Network Security Module: Firewalls

Linux Network Security

Firewalls & Intrusion Detection

Chapter 4 Firewall Protection and Content Filtering

Secure use of iptables and connection tracking helpers

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Manuale Turtle Firewall

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

10 Configuring Packet Filtering and Routing Rules

CIS 433/533 - Computer and Network Security Firewalls

Network Security Management

ipchains and iptables for Firewalling and Routing

CS 161 Computer Security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

10.4. Multiple Connections to the Internet

Topics in Network Security

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Definition of firewall

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Cryptography and network security

- Basic Router Security -

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Technical Support Information Belkin internal use only

CIT 480: Securing Computer Systems. Firewalls

Security Type of attacks Firewalls Protocols Packet filter

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

IP Address: the per-network unique identifier used to find you on a network

Stateful Firewalls. Hank and Foo

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

EXPLORER. TFT Filter CONFIGURATION

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Strategies to Protect Against Distributed Denial of Service (DD

General Network Security

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Firewall Design Principles Firewall Characteristics Types of Firewalls

From Network Security To Content Filtering

Chapter 4 Firewall Protection and Content Filtering

Transcription:

Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version to the class website and we will announce the new version on the class newsgroup. Please be patient, as this is a brand-new project that we re running for the first time. 11/12: Updated description of writeup required for Phase I submission. Added section describing grading policy. 11/8: Clarified that the time server and echo server are the same machine. 11/6: Clarified TCP vs. UDP for ports listed in functionality requirements. Changed wording from Security requirements to Security goals. 2 Overview 2.1 Your Task For this project, your group will play the role of a consulting company hired to design and test firewalls for corporate networks. The project will have two phases. In Phase I, you will be presented with a network and a set of requirements and asked to produce a firewall that protects the network while meeting the functional requirements. In Phase II, you will be given several competing implementations and your job will be to analyze and test them for weaknesses. This document describes Phase I. The specifications for Phase II will be posted at the end of Phase I. 2.2 Deadlines Phase I: Monday, November 13, 11:59 pm Phase II: Monday, November 20, 11:59 pm 2.3 Getting started As of the first posting of this document, we are still ironing out some problems with DETER, though the project infrastructure should be up and fully functional within the next week. However, there is plenty to do in the meantime. To begin with, we suggest three things (which you should do first even if DETER were ready to go right away): 1. Read the specifications in this document and write some pseudocode rules like the ones we ve seen in class. 2. Read the iptables tutorial at http://www.netfilter.org/documentation/howto/packet-filtering-howto.html. (More information in Section 5.1 below.) Then write a first-draft iptables version of your rulesets. 3. Skim the DETER tutorial at http://www.isi.deterlab.net/tutorial/docwrapper.php3?docname=tutorial.html. 1

You don t need to know most of the information in this tutorial, but you should start getting a feel for what DETER lets you do and what it s like to work with it. 3 DETER DETER is a large-scale testbed on which complex network experiments can be run. Each project group will have an account on DETER that will give you access to the network to run your firewall and test it out. The home page for DETER is http://www.isi.deterlab.net/, and you can browse through the documentation there. More information will be posted to the website within the next week, as we get the bugs worked out. 4 Phase I Specifications 4.1 Network topology The network you must defend appears in Figure 1. There are two firewalls separating the network into four distinct segments: 1. The internet is everything outside of this organization s network. It is completely untrusted. 2. There is a DMZ, where all publicly visible servers reside. 3. The internal LAN is where employees have their workstations. Some workstations are admin machines with additional access privileges (see Section 4.2). 4. There is also a core net, which holds the company s sensitive data and servers. As shown in the figure, firewall FW1 links the DMZ to the internet, and firewall FW2 links the DMZ, the LAN, and the core net. In practice, there will be only one internet machine ( remote ), one normal employee LAN machine ( user ), and one admin LAN machine ( admin ). 4.2 Required functionality There are several functionality requirements that your firewall must preserve: HTTP service. The company needs its web server to serve content to the general public (the internet). The internet needs HTTP access to the web server (TCP port 80). The web server needs to be able to talk to the database in the core net on TCP port 3306. Login service. Employees need to be able to log into their machines from home or when traveling. There is a login gateway in the DMZ that should be a single point of access. The internet needs SSH access to the login gateway (TCP port 22). The login gateway needs SSH access to machines on the LAN. Time and echo services. The company provides a time/echo server that replies to queries by giving the time of day or repeating the message received. The internet and LAN need access to the time/echo server on TCP port 2000 (time) and TCP port 2001 (echo). Employee workstations. Workstations on the LAN must have full access to the internet. Administration. Admin machines on the LAN need ssh access to all DMZ and core net machines. Furthermore, ping (ICMP echo requests and responses) should be allowed to all machines from anywhere, as it is a useful diagnostic tool to see if a machine is up and reachable. Signature server. Employees can submit documents to be signed by the company s private keys. LAN machines need access to the signing server on TCP port 1729. 2

Figure 1: Graphical representation of the network topology. The node remote is outside the corporate network on the internet; all other nodes are within the corporate network. 3

4.3 Security goals The security goals for this network are described here at a high level, and it is your job to interpret them into a concrete security policy. Assume that an attacker has full control over one machine on the internet and can send arbitrarily crafted network traffic at your network. The security goals are very high-level for this project and focus on protecting the company s resources. Here are the main resources that need protection: Key confidentiality/integrity. The signing server holds the company s private keys, and a compromise of these keys would be very bad. If the keys could be accessed directly by the attacker that would be devastating; if the attacker could have an arbitrary message signed then that is very bad too. Database confidentiality/integrity. The database server holds data that is secret and very valuable to the company. Any access to that data, either reading or writing, would be a severe breach of security. Workstation confidentiality. Each employee may have confidential information on his or her workstation. Access to any data on LAN workstations is a breach of security. Web integrity/availability. The company website is its public face and therefore one of its key assets. Defacing the website or causing it to be unavailable is bad. Login availability. Employees need remote access to do their work, so preventing them from logging in is undesirable. Time integrity/availability. The time server lets employees synchronize their clocks, so having it unavailable is unfortunate and providing an incorrect time is very bad. Many of these security goals can be enforced by your firewall, though not all, and some only partially. You are to write your firewall to preserve as many of these goals as possible, and you should also think about whether there are other desirable security goals not mentioned here. This is a high-level description, so you may need to interpret them a bit when formulating your packet-level policies. The network topology is designed to help enforce some separation and access constraints, and your firewall should take advantage of that. 5 Software and Tools 5.1 Firewall software For this project you will write an iptables firewall to run on a linux system. iptables is close enough to the firewall syntax you learned in class that you should be able to pick it up relatively easily. Lots of information about iptables can be found here: http://www.netfilter.org/documentation/index.html In particular, you should start with the Packet Filtering HOWTO. (Note that the HOWTO was written for the linux kernel 2.4 but your firewall will actually be running on linux kernel 2.6; however, there should not be significant differences.) Here are some tips on getting started with iptables. The paradigm for iptables is that you will call it once for each rule, adding that rule to the existing set. You can type each command at the command line or you can write a shell script to call it for each rule in your policy; the latter is recommended! The first thing you should probably do is flush the tables, so that you can start fresh with a new ruleset: iptables -F You can do this at any time to start over; you should do this between calls to your firewall script (or just put it at the start of the script). iptables has three different firewall rulesets, called chains. These chains are INPUT, OUTPUT, and FOR- WARD. 4

The INPUT chain filters traffic destined for the firewall machine itself. The OUTPUT chain filters traffic generated by the firewall machine. The FORWARD chain filters traffic routed through the firewall. You will mainly be interested in the FORWARD chain. Note that even though the forwarding process involve traffic entering the firewall and then leaving, the INPUT and OUTPUT chains are never invoked during the forwarding process. You might want to put some rules in the INPUT and OUTPUT chains to protect the firewall machine itself from attacks, but be careful not to block your own administrative access to the firewall! The second thing you might want to do is turn on default deny. Default accept is the initial policy of iptables. The command to turn on default deny for the FORWARD chain is: iptables -P FORWARD DROP Now you can start adding rules. The command to add rules has the format: iptables -A <chain>... -j <target> Where <chain> is INPUT, OUTPUT, or FORWARD, and <target> is ACCEPT or DROP. In place of... you can specify rules that determine which packets get through. For example, to allow pings to pass through, you can use iptables -A FORWARD -p ICMP -j ACCEPT The -p option specifies a protocol. Protocols include TCP, UDP, and ICMP. You will need to specify interfaces in your rules. the -i flag and -o flag specify input and output interfaces. For example, iptables -A FORWARD -p ICMP -i eth0 -o eth1 -j ACCEPT Will only allow pings to pass from eth0 to eth1, but not the other way around. Of course, you also want to filter on source and destination IP addresses. You use the -s and -d flags, respectively, for example: iptables -A FORWARD -p ICMP -s remote -d admin -j ACCEPT This allows pings from the remote machine to the admin machine. Note that in your firewalls, you will often need to use -s, -d, -i, and -o all in a single rule, to prevent IP spoofing attacks. Also, you will need to filter on port numbers in your firewalls. To filter on destination port 80, for example, use flag --destination-port 80. The --source-port flag works in a similar way. 5.2 Testing tools We are providing you with three network testing/analyzing tools to use both in testing your own firewall in Phase I and attacking other firewalls in Phase II. These three (plus normal utilities on your PATH, such as ping and traceroute) should be sufficient; if there is another tool you d like to use for additional functionality, please check with your TA. NMAP NMAP tells you what ports are accessible. It tests whether a port that should be blocked is really blocked, and a port that should be open is indeed open. And it can do much, much more. Documentation for NMAP can be found at http://insecure.org/nmap/docs.html, or see its detailed man page. HPING HPING lets you craft packets and send them across the network. This is useful, for example, to verify that an outsider from the internet who is spoofing an internal IP cannot get access to the protected network. Documentation for HPING can be found at http://wiki.hping.org/94. HPING has many capabilities; try to think like a hacker and come up with clever packets that might sneak through the firewall. HPING in its most basic form will simply ping a remote host. For example, 5

hping3 admin will ping the admin machine. More interestingly, hping makes it easy to spoof the source IP address. For example, hping3 -a keyserver admin Will transmit packets to admin that have keyserver s source IP. Note that this works even from the remote machine. Your firewall design needs to consider this sort of spoofing. NGREP NGREP watches network traffic and displays the packets matching a rule you specify. This can be used in conjunction with HPING: HPING sends a packet and NGREP shows you the packet and any replies that go over the network. Documentation for NGREP can be found at http://ngrep.sourceforge.net/usage.html. You will use nmap, ngrep, and hping on the remote machine. You may also find it necessary to sniff traffic on the sensitive internal machines. To do this, you should use tcpdump. One thing to be careful about is interfaces. Each DETER machine has a connection to the outside world, which is what you use when logging in from outside DETER. You do not want to sniff traffic on this network or send your packets over it. When using the tools, you can specify an interface. First, determine which interface you want, by running ifconfig. ifconfig gives you a list of interfaces and the IP address each interface links to. IPs of the form 192.168.*.* are to the control network, do not use these. IPs of the form 10.1.*.* are for the internal network, DO use these. Here is how to make the tools use the appropriate interface. Consider using interface eth0. Call ngrep like this: ngrep -d eth0 -e On the BSD machines, use tcpdump instead, like this: tcpdump -i eth0 -e Note that the -e flag causes ngrep to display empty packets. empty packets are still interesting, so we want to see them. If you forget to include -e, empty packets will be displayed only as a hash mark, #, rather than a full header decode. Specifics about where to find these tools will be posted with your DETER instructions. 6 Submitting 6.1 Writeup For Phase I, you should primarily focus on writing your firewall scripts. You will have two scripts, one for each firewall in the network. You should also compose a short writeup that discusses the following points: How straightforward was writing these rulesets? What was the trickiest part? After completing these scripts, are you confident that you got them right? If you are unsure, what are you unsure about and why? What security goals were you not able to address to satisfaction with your firewall? Can you suggest other methods for dealing with any remaining security concerns? Did you have to make trade-offs between functionality and security? Were there any judgment calls you had to make when interpreting the high-level security goals? If so, please explain your reasoning. Please keep your writeup under 2000 words. A writeup much shorter than that is fine; as long as nothing important is missing and everything is clear, graders strongly prefer to read short writeups. 6

6.2 Submission instructions Here is how to submit for Phase I. This must be done on the instructional machines, and only one person from each group should run submit. Place your firewall rulesets (all scripts) and your writeup into a single tarball called phase1.tgz. Put phase1.tgz in a directory of its own, cd into that directory, and type submit phase1 It should say Submission complete. You should be hearing from us. If it doesn t say this, assume something is broken. If you can t get it to work, let your TA know as soon as possible. If it is 5 minutes before the deadline and it still isn t working, you may email your submission to your TA as a last resort. 6.3 Grading Phase I and Phase II will each compose approximately 50% of the grade for project 2. Here is a rough outline of how we will assign grades for Phase I (though we reserve the right to adjust this a bit if necessary): 30%: Complete functionality preserved. 50%: Secure against TA testing. 5%: Secure against peer testing. 15%: Writeup For the TA testing, we will not grade harshly if you did not think of something creative that we tried, but we do expect your firewalls to be generally robust against network attacks. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information